Download - Towards Modal Type Theory - cs.cmu.edufp/talks/mantova00-talk.pdf · Proposition | meaning given by rules of veri cation True proposition ... Conservative extension of ML based on


Towards Modal Type Theory

Frank Pfenning

Constructivism in Non-Classical Logics and Computer Science

In Memoriam Pierangelo Miglioli

Mantova, Italy

October 2, 2000

Disclaimer: Work in Progress!

Acknowledgments: Alberto Momigliano


Motivation: Programming

• Intensionality in programming.

• Logical foundations for

– run-time code generation [Davies & Pf.’96]

– partial evaluation [Davies’96]

– meta-programming [Moggi, Taha, Benaissa & Sheard’99]

• Propositional logic and simple types.


Motivation: Type Theory

• Reasoning about programs.

• Specifications via dependent types.

• Extracting programs from constructive proofs

or reconstructing proof obligations from programs.

• First-order logic and dependent types.


Combining Modal Logic and Type Theory

• Judgmental analysis of modal types and programs.

• Reasoning about programs with intensionality.

• Constructive first-order modal logic and beyond.

• Unexpected result: computational irrelevance.


This Talk

1. Judgmental Reconstruction of Modal Logic (S4)

2. Specifications via Dependent Types

3. Past Worlds and Hidden Variables

4. Dependent Types Revisited

5. Erasure Interpretation

6. Conclusion


Martin-Lof Type Theory

• Judgment — object of knowledge

• Evident judgment — something we know

• Proof — evidence for a judgment

• Proposition — meaning given by rules of verification

• True proposition — possesses verification


Hypothetical Judgments

• Basic judgment: A true “A is true”

• Hypothetical judgment:

A1 true, . . . , An true︸ ︷︷ ︸assumptions Γ

` A true

• Hypothesis rule: Γ1, A true,Γ2 ` A true

• Substitution property:

If Γ ` A true

and Γ,A true ` C true

then Γ ` C true.

• Implication introduction and elimination as usual

(internalizes hypothetical reasoning as a proposition).


Analytic Judgments

• Basic judgment: M : A “M is a proof term for A”“M has type A”

• Parametric and hypothetical judgment:

x1:A1, . . . , xn:An︸ ︷︷ ︸value variables Γ

`M : A

• Hypothesis rule: Γ1, x:A,Γ2 ` x : A

• Substitution property:

If Γ `M : A

and Γ, x:A ` N : C

then Γ ` [M/x]N : C.

• λ-abstraction, application, β-reduction as usual.


Categorical Judgments

• Categorical judgment: A valid if • ` A true

• Hypothetical judgment:

B1 valid, . . . , Bk valid︸ ︷︷ ︸true in all worlds

; A1 true, . . . , An true︸ ︷︷ ︸in current world

` C true

• Additional hypothesis rule: (∆1, A valid,∆2); Γ ` A true

• Additional substitution property:

If ∆; • ` A true

and (∆, A valid); Γ ` C true

then ∆; Γ ` C true.



• Proposition: 2A prop “A is necessarily true”

• Introduction:∆; • ` A true

2I∆; Γ ` 2A true

• Elimination:

∆; Γ ` 2A true (∆, A valid); Γ ` C true

2E∆; Γ ` C true

• Internalizes validity judgment as proposition.

• No structural rules required.



• Categorical judgment: M :: A if • `M : A.

• M :: A “M is an expression of type A”

• Hypothetical judgment:

u1::B1, . . . , uk::Bk︸ ︷︷ ︸expression variables

; x1:A1, . . . , xn:An︸ ︷︷ ︸value variables

` N : C

• Additional hypothesis rule: (∆1, u::A,∆2); Γ ` u : A

• Substitution property:

If ∆; • `M : A

and (∆, u::A); Γ ` N : C

then ∆; Γ ` [M/u]N : C.


Intensional Types

• Type: 2A “terms denoting expressions of type A”

• Decorate introduction and elimination with proof terms.

• Constructor:∆; • `M : A

2I∆; Γ ` boxM : 2A

• Destructor:

∆; Γ `M : 2A (∆, u::A); Γ ` N : C

2E∆; Γ ` let boxu = M in N end : C

• Reduction:

let boxu = boxM in N end −→ [M/u]N


Some Properties

• Type preservation and progress [Davies & Pf’96].

• Staging interpretation via multiple world semantics.

• Curry-Howard isomorphism with modal logic S4.

• Possible to add possibility (3) [Pf & Davies’00].

• Interpretation of lax logic (OA = 32A)

[Fairtlough & Mendler’97].

• Interpretation of monadic meta-language [Moggi’89].


Programming Language Design Philosophy

• Put the power of staging into the hands of the programmer.

• Simple and declarative.

• Conservative extension of ML based on modal types.

• Safe in the presence of effects.

• Staging errors are type errors.

• Enables, but does not prescribe optimizations.

• Compiler implementation in progress (PML).

• Some experiments in run-time code generation:

Fabius [Leone & Lee’94’96]

CCAM [Wickline, Lee & Pf.’98]


Example: Power Function

• Unstaged ` power : nat→ (nat→ nat)

fun power 0 b = 1

| power (s n) b = b * (power n b)

• Incorrectly staged 6 ` power : nat→ 2(nat→ nat)

fun power 0 = box (λb. 1)

| power (s n) = box (λb. b * (power n) b)

• Correctly staged ` power : nat→ 2(nat→ nat)

fun power 0 = box (λb. 1)

| power (s n) =

let box u = power n

in box (λb. b * u b) end


Examples: Laws of S4

• Curry-Howard isomorphism applied to modal logic S4.

• ` eval : 2A→A

fun eval x = let box u = x in u end

• ` apply : 2(A→B)→ 2A→2B

fun apply f x =

let box f’ = f

in let box x’ = x

in box (f’ x’) end end

• ` quote : 2A→22A

fun quote x = let box u = x in box (box u) end


Specifications via Dependent Types

• Dependent function type Πx:A.B(x) (∼ A→B) (∼ ∀x.B(x))

• Dependent sum type Σx:A.B(x) (∼ A×B) (∼ ∃x.B(x))

• Propositions m.

= n (∼ proof) as type of proofs.

• Specification of power function:

power : Πn:nat.Πb:nat.Σm:nat.m.

= bn

• Erasing dependencies we obtain:

power : nat→ nat→ (nat× proof)

• Usually do not compute elements of type proof.


Dependent Function Types

• Constructor:

Γ ` A : type Γ, x:A `M : B(x)ΠI

Γ ` λx:A.M : Πx:A.B(x)

• Destructor:

Γ `M : Πx:A.B(x) Γ ` N : AΠE

Γ `MN : B(N)

• Reduction:

(λx:A.M)N −→ [N/x]M


Dependent Sum Types

• Constructor:

Γ `M : A Γ ` N : B(M)ΣI

Γ ` 〈M,N〉 : Σx:A.B(x)

• Destructors:

Γ `M : Σx:A.B(x)ΣE1Γ ` π1M : A

Γ `M : Σx:A.B(x)ΣE1Γ ` π2M : B(π1M)

• Reductions:

π1 〈M,N〉 −→ M

π2 〈M,N〉 −→ N


Judgments Revisited

• Well-formed types: Γ ` A : type

• Definitional equality: Γ ` A = B : type

• Derived from reduction M −→M ′ and evaluation.

• Type conversion:

Γ `M : A Γ ` A = B : typeΓ `M : B

• Generalized substitution property:

If Γ `M : A

and Γ, x:A ` N : C(x)

then Γ ` [M/x]N : C(M).


Example Revisited

• Proof objects:

p0 : Πb:nat.1.

= b0

p1 : Πb:nat.Πn:nat.Πm:nat.m.

= bn→ b ∗m .= bn+1

• Recall: power : Πn:nat.Πb:nat.Σm:nat.m.

= bn

• Power function with correctness proof:

fun power 0 b = 〈1, p0 b〉| power (s n) b =

〈b * π1 (power n b),

p1 b n (π1 (power n b))

(π2 (power n b))〉


The Problem: Properties of Non-Existent Objects

• Consider the staged version of the power program:

fun power 0 = box (λb. 〈1, p0 b〉)| power (s n) =

let box u = power n

in box (λb. 〈b * (π1 (u b)),

p1 b n (π1 (u b)) (π2 (u b))〉) end

• 6 ` power : Πn:nat.2(Πb:nat.Σm:nat.m.

= bn)

• 6 ` Πn:nat.2(Πb:nat.Σm:nat.m.

= bn) : type

• Violates staging by accessing n.

• n is used only in the proof object!


Solution: Reasoning about the Past

• Generalize judgment: ∆; Γ; Ω `M : A.

• ∆ = u1::A1, . . . , uk::Ak (expression variables),

available in all worlds.

• Γ = x1:B1, . . . , xn:Bn (value variables),

available only in current world.

• Ω = w1÷C1, . . . , wm÷Cm (hidden variables),

were available in a past world.

• No Hypothesis rule: ∆; Γ; (Ω1, w÷A,Ω2) 6 ` w : A !


Necessity Revisited

• Constructor:

∆; •; (Γ,Ω) `M : A

2I∆; Γ; Ω ` boxM : 2A

• Destructor:

∆; Γ; Ω `M : 2A (∆, u::A); Γ; Ω ` N : C

2E∆; Γ; Ω ` let boxu = M in N end : C

• Substitution principle:

If ∆; •; (Γ,Ω) `M : A

and (∆, u::A); Γ; Ω ` N : C

then ∆; Γ; Ω ` N : C.


Hidden Types

• M : [A] “M is a term of type A from the past”

• Constructor:

∆; (Γ,Ω); • `M : A[−]I

∆; Γ; Ω ` [M] : [A]

• Destructor:

∆; Γ; Ω `M : [A] ∆; Γ; (Ω, w÷A) ` N : C[−]E

∆; Γ; Ω ` let [w] = M in N end : C

• Substitution principle:

If ∆; (Γ,Ω); • `M : A

and ∆; Γ; (Ω, w÷A) ` N : C

then ∆; Γ; Ω ` [M/w]N : C


Example Revisited

• “Hide” proof objects.

• ` Πn:nat.2(Πb:nat.Σm:nat. [m.

= bn]) : type

• ` power : Πn:nat.2(Πb:nat.Σm:nat. [m.

= bn])

• Implementation:

fun power 0 = box (λb. 〈1, [p0 b]〉)| power (s n) =

let box u = power n

in box (λb. 〈b * (π1 (u b)),

let [w] = π2 (u b)

in [p1 b n (π1 (u b)) w] end〉) end


Dependent Types Revisited

• We cannot sort u::A, x:A, w÷A into zones because of


• Ψ ::= • | Ψ, x::A | Ψ, x:A | Ψ, x÷A

• Ψ replaces x:A by x÷A.

• Ψ⊕ replaces x÷A by x:A.

• Valid contexts: `Ψ ctx

` • ctx`Ψ ctx Ψ ` A : type` (Ψ, x:A) ctx

`Ψ ctx Ψ ` A : type` (Ψ, x::A) ctx

`Ψ ctx Ψ⊕ ` A : type` (Ψ, x÷A) ctx


Dependent Substitution Principles

• For expression variables:

If Ψ `M : Aand Ψ, u::A ` N : C(u)then Ψ ` [M/u]N : C(M).

• For value variables:

If Ψ `M : Aand Ψ, x:A ` N : C(x)Then Ψ ` [M/x]N : C(M).

• For hidden variables:

If Ψ⊕ `M : Aand Ψ, w÷A ` N : C(w)then Ψ ` [M/w]N : C(M).


Necessity Revisited

• Formation:

Ψ ` A : type

2FΨ ` 2A : type

• Constructor:

Ψ `M : A

2IΨ ` boxM : 2A

• Destructor:

Ψ `M : 2A Ψ, u::A ` N : C

2EΨ ` letu = M in N end : C


Hidden Types Revisited

• Formation:

Ψ⊕ ` A : type[−]F

Ψ ` [A] : type

• Constructor:

Ψ⊕ `M : A [−]IΨ ` [M] : [A]

• Destructor:

Ψ `M : [A] Ψ, w÷A ` N : C[−]E

Ψ ` let [w] = M in N end : C


Dependent Function Types Revisited

• Constructor:

Ψ ` A : type Ψ, x:A `M : B(x)ΠI

Ψ ` λx:A.M : Πx:A.B(x)

• Destructor:

Ψ `M : Πx:A.B(x) Ψ ` N : AΠE

Ψ `MN : B(N)

• Dependent sums are similarly straightforward.


Application: First-Order Modal Logic

• Define ∀ex. A(x) “for all ephemeral x, A(x)”

Quantifies over elements of current world.

• ∀ex.2A(x) is not necessarily well-formed.

• Define ∀pu.A(u) “for all persistent u, A(u)”

Quantifies over elements existing in all worlds.

• 2(∀pu.A(u)) ⊃ ∀pu.2A(u) is true.

• Define ∀0w.A[w] “for all ethereal w, A[w]”


Application: Subset Types

• Define x:A | B(x) as Σx:A. [B(x)].

• Derived rules:

Ψ `M : A Ψ⊕ ` N : B(M) − IΨ ` 〈M,N〉 : x:A | B(x)

Ψ `M : x:A | B(x) − E1Ψ ` π1M : A

Ψ `M : x:A | B(x) Ψ, w÷B(π1M) ` N : C − E2Ψ ` let [w] = π2M in N end : C


The Erasure Interpretation

• Slogan: “Forget about the Past!”

• Type “terms with no computational contents”

• Replace [A] by and propagate.

• Replace M : [A] by token ? and propagate.

• Orthogonal to necessity.


Properties of Erasure

• Theorem: Erasure commutes with type-checking and


• Theorem: Hidden variables are useless (computationally

irrelevant) under erasure interpretation.

• Dependently typed programs are correct and their erasure

executes in a well-staged manner.


Definitional Equality Revisited

• 2A is intensional (observable):

No congruence rule for boxM.

• [A] is computationally irrelevant (inobservable):

[−]EqΨ `M = N : [A]

• Other choices are possible.


Future Work on Type Theory

• Decidability of type-checking?

• Variations on rules?

• Variations on definitional equality?

• Application to quotient types?

• Classical reasoning in [A]? [Bauer’00]

• Investigate duality between 2 and [−].

• Integrate with DML, where index objects are restricted to

(tractable) constraint domains. [Xi & Pf’98] [Xi & Pf’99]

• Develop dependently typed linear logic?


Application: Linear Logic

• Traditional judgment: ∆; Γ `M : A

∆ (unrestricted variables), Γ (linear variables)

• Traditional sample rule:

∆; Γ1 `M : A ∆; Γ2 ` N : B ⊗I∆; (Γ1,Γ2) `M ⊗N : A⊗B

• New rule (adding hidden variables):

∆; Γ1; (Γ2,Ω) `M : A ∆; Γ2; (Γ1,Ω) ` N : B ⊗I∆; (Γ1,Γ2); Ω `M ⊗N : A⊗B

• This permits more programs under type assignment:

` λx. λy. x⊗ (λw. y)x : A −o B −o A⊗B


Related Work

• Useless variable elimination in functional programming.

• Vacuous and strict variables [Momigliano’00].

• Substructural λ-calculi [Wright’98].

• Hidden variables in Nuprl.

• Prop vs Spec in Coq.

• Squash types and proof irrelevance [Hofmann’96]



• Judgmental reconstruction of modal types (S4).

• Dependent types for full specifications.

• References to the past and hidden variables.

• Clear logical solution.

• Admits erasure interpretation.

• Other applications (subset types, linear type theory).